b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report \n\n\n  Subject:\n\n               AUDIT OF INFORMATION SYSTEMS \n\n            GENERAL AND APPLICATION CONTROLS AT \n\n                MEDCO HEALTH SOLUTIONS, INC. \n\n                                          Pharmacy I3enefit Manager for:\n                           \xe2\x80\xa2   BlueCross BlueShield Federal Employee Program\n                           \xe2\x80\xa2   American Postal Workers Union Health Plan\n                           \xe2\x80\xa2   Government Employees Health Association\n                           \xe2\x80\xa2   SAMBA Federal Employee Benefit Association\n                           \xe2\x80\xa2   Foreign Service Benefit Plan\n\n\n\n                                            Report No. lA-1O-OO-ll-OS2\n\n                                            Date:                March 1 4, 201 2\n\n\n\n\n                                                          --CAUTION-\xc2\xad\nThis audit report has been distributed to Federal and l\\on-Federal officials who are responsible for the administration of the audited\ncontract. This audit report may contain proprietary data which is protected by ."ederallaw (18 ES.C. 1905). Therefore. while this audit\nreport is available under the Freedom of Information Act and made available to the public on the OIG webpage. caution needs to be\nexercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly\n\x0c                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                          Washington, DC 20415\n\n\n  Of1ice of the\nInspector General\n\n\n\n\n                                         Audit Report \n\n\n\n                    FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n\n                            MEDeo HEALTH SOLUTIONS, INC.\n                                Pharmacy Benefit Manager For:\n                            BLUECROSS BLUESHIELD ASSOCIATION \n\n                               CONTRACT 1039: CODES 104, lOS, 111, 112 \n\n                       AMERICAN POSTAL WORKERS UNION HEALTH PLAN \n\n                               CONTRACT 1370: CODES 471, 472, 474, 475 \n\n                       GOVERNMENT EMPLOYEES HEAL TH ASSOCIATION \n\n                               CONTRACT 1063: CODES 311, 312, 314, 315 \n\n                      SAMBA FEDERAL EMPLOYEE BENEFIT ASSOCIATION \n\n                               CONTRACT 1074: CODES 441, 442, 444, 445 \n\n                              FOREIGN SERVICE BENEFIT PLAN \n\n                                   CONTRACT 1062: CODES 401, 402 \n\n\n\n\n\n                                Report No. lA-lO-OO-ll-052\n\n                                Date:           03/14/12\n\n\n\n\n                                                                     Michael R. Esser\n                                                                     Assistant Inspector General\n                                                                       for Audits\n\n\n\n\n        www.opm.gov                                                                   www.usajobs.gov\n\x0c                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT \n\n                                                Washington. DC 20415 \n\n\n\n  Ortice of the\nInspector General\n\n\n\n\n                                          Executive Summary \n\n\n\n                    FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n\n                                MEDCO HEALTH SOLUTIONS, INC.\n                                   Pharmacy Benefit Manager For:\n                               BLUECROSS BLUE SHIELD ASSOCIATION \n\n                                    CONTRACT 1039; CODES 104, 105, 111, 112 \n\n                       AMERICAN POSTAL WORKERS UNION HEALTH PLAN \n\n                                    CONTRACT 1370; CODES 471, 472, 474, 475 \n\n                        GOVERNMENT EMPLOYEES HEALTH ASSOCIATION \n\n                                    CONTRACT 1063; CODES 311, 312, 314, 315 \n\n                       SAMBA FEDERAL EMPLOYEE BENEFIT ASSOCIATION \n\n                                    CONTRACT 1074: CODES 441, 442, 444, 445 \n\n                                   FOREIGN SERVICE BENEFIT PLAN \n\n                                        CONTRACT 1062; CODES 401, 402 \n\n\n\n\n\n                                      Report No. lA-lO-OO-ll-OS2\n\n                                      Date:             03/14/12\n\n\n\n\n       This final report discusses the results of our audit of general and application controls over the\n       information systems at Medco Health Solutions, Inc.\n\n       Our audit focused on the claims processing applications used to adjudicate Federal Employees\n       Health Benefits Program (FEHBP) claims for Medco, as well as the various processes and\n       information technology (IT) systems used to support these applications. We documented\n       controls in place and opportunities for improvement in each of the areas below.\n\n\n\n\n        www.opm.gov                                                                             www.usajobs.goll\n\x0cSecurity Management\nMedco has established a comprehensive series of IT policies and procedures to create an\nawareness of IT security at the Plan. We also verified that Medco has adequate human resources\npolicies related to the security aspects of hiring, training, transferring, and terminating\nemployees.\n\nAccess Controls\nWe found that Medco has implemented numerous physical controls to prevent unauthorized\naccess to its facilities, as well as logical controls to prevent unauthorized access to its\ninformation systems. However, we found that Medco\xe2\x80\x99s data center does not require two-factor\nauthentication for access and that there is no documented review of system administrator\nactivity.\n\nConfiguration Management\nMedco has developed formal policies and procedures providing guidance to ensure that system\nsoftware is appropriately configured and updated, controlling system software configuration\nchanges, and monitoring configuration through vulnerability scanning.\n\nContingency Planning\nWe reviewed Medco\xe2\x80\x99s business continuity plans and concluded that they contained the key\nelements suggested by relevant guidance and publications. We also determined that these\ndocuments are reviewed, updated, and tested on a periodic basis.\n\nClaims Adjudication\nMedco has implemented many controls in its claims adjudication process to ensure that FEHBP\nclaims are processed accurately. However, we found that Medco does not use the Office of\nPersonnel Management (OPM) debarred provider listing to update its master pharmacy database.\nWe also recommend that Medco implement several system modifications to ensure that its\nclaims processing systems adjudicate FEHBP claims in a manner consistent with the OPM\ncontract and other regulations.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that Medco is not in compliance with the\nHIPAA security and privacy regulations.\n\n\n\n\n                                               ii\n\x0c                                                                Contents\n\n                                                                                                                                              Page\nExecutive Summary ......................................................................................................................... i\nI. Introduction .................................................................................................................................1\n    Background ................................................................................................................................ 1\n    Objectives ................................................................................................................................... 1\n    Scope .......................................................................................................................................... 2\n    Methodology .............................................................................................................................. 2\n    Compliance with Laws and Regulations .................................................................................... 3\nII. Audit Findings and Recommendations .......................................................................................4\n    A. Security Management ............................................................................................................ 4\n    B. Access Controls ..................................................................................................................... 4\n    C. Configuration Management ................................................................................................... 6\n    D. Contingency Planning ........................................................................................................... 7\n    E. Claims Adjudication ............................................................................................................. 7\n    F. Health Insurance Portability and Accountability Act ......................................................... 14\nIII. Major Contributors to This Report ..........................................................................................15\n\nAppendix: Medco\xe2\x80\x99s December 1, 2011 response to the draft audit report issued October 5, 2011.\n\x0c                                       I. Introduction\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims by Medco Health Solutions, Inc.\n(Medco).\n\nThe audit was conducted pursuant to applicable FEHBP contracts; 5 U.S.C. Chapter 89; and 5\nCode of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S.\nOffice of Personnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as established\nby the Inspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nMedco is the pharmacy benefit manager responsible for processing prescription drug claims on\nbehalf of the following FEHBP insurance carriers:\n      \xe2\x80\xa2    Blue Cross Blue Shield (BCBS) Federal Employee Program - contract CS 1039;\n      \xe2\x80\xa2    American Postal Workers Union Health Plan - contract CS 1370;\n      \xe2\x80\xa2    Government Employees Health Association (GEHA) - contract CS 1063;\n      \xe2\x80\xa2    SAMBA Federal Employee Benefit Association - contract CS 1074; and\n      \xe2\x80\xa2    Foreign Service Benefit Plan (FSBP) - contract CS 1062.\n\nThis was our first audit of Medco\xe2\x80\x99s general and application controls. We also reviewed Medco\xe2\x80\x99s\ncompliance with the Health Insurance Portability and Accountability Act (HIPAA).\n\nAll Medco personnel that worked with the auditors were particularly helpful and open to ideas\nand suggestions. They viewed the audit as an opportunity to examine practices and to make\nchanges or improvements as necessary. Their positive attitude and helpfulness throughout the\naudit was greatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in Medco\xe2\x80\x99s IT environment.\nWe accomplished these objectives by reviewing the following areas:\n  \xe2\x80\xa2       Security management;\n  \xe2\x80\xa2       Access controls;\n\n                                                  1\n\x0c    \xe2\x80\xa2    Configuration management;\n    \xe2\x80\xa2    Segregation of duties;\n    \xe2\x80\xa2    Contingency planning;\n    \xe2\x80\xa2    Application controls specific to Medco\xe2\x80\x99s claims processing systems; and,\n    \xe2\x80\xa2    HIPAA compliance.\n\nScope\nThis performance audit was conducted in accordance with generally accepted government\nauditing standards issued by the Comptroller General of the United States. Accordingly, we\nobtained an understanding of Medco\xe2\x80\x99s internal controls through interviews and observations, as\nwell as inspection of various documents, including information technology and other related\norganizational policies and procedures. This understanding of Medco\xe2\x80\x99s internal controls was\nused in planning the audit by determining the extent of compliance testing and other auditing\nprocedures necessary to verify that the internal controls were properly designed, placed in\noperation, and effective.\n\nThe scope of this audit centered on the information systems used by Medco to process\nprescription benefit claims for FEHBP members. The business processes reviewed are primarily\nlocated in Medco\xe2\x80\x99s Franklin Lakes, New Jersey facility.\n\nThe on-site portion of this audit was performed in June and July of 2011. We completed\nadditional audit work before and after the on-site visits at our office in Washington, D.C. The\nfindings, recommendations, and conclusions outlined in this report are based on the status of\ninformation system general and application controls in place at Medco as of September 9, 2011.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nMedco. Due to time constraints, we did not verify the reliability of the data used to complete\nsome of our audit steps but we determined that it was adequate to achieve our audit objectives.\nHowever, when our objective was to assess computer-generated data, we completed audit steps\nnecessary to obtain evidence that the data was valid and reliable.\n\nMethodology\nIn conducting this audit, we:\n\xe2\x80\xa2       Gathered documentation and conducted interviews;\n\xe2\x80\xa2       Reviewed Medco\xe2\x80\x99s business structure and environment;\n\xe2\x80\xa2       Performed a risk assessment of Medco\xe2\x80\x99s information systems environment and applications,\n        and prepared an audit program based on the assessment and the Government Accountability\n        Office\'s (GAO) Federal Information System Controls Audit Manual (FISCAM); and,\n\xe2\x80\xa2       Conducted various compliance tests to determine the extent to which established controls and\n        procedures are functioning as intended. As appropriate, we used judgmental sampling in\n        completing our compliance testing.\n\n\n                                                   2\n\x0cVarious laws, regulations, and industry standards were used as a guide to evaluating Medco\xe2\x80\x99s\ncontrol structure. This criteria includes, but is not limited to, the following publications:\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xe2\x80\xa2   GAO\xe2\x80\x99s FISCAM;\n\xe2\x80\xa2   National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and,\n\xe2\x80\xa2   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether Medco\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nMedco was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit Findings\nand Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                     II. Audit Findings and Recommendations\n\nA. Security Management\n  The security management component of this audit involved the examination of the policies and\n  procedures that are the foundation of Medco\xe2\x80\x99s overall IT security controls. We evaluated\n  Medco\xe2\x80\x99s ability to develop security policies, manage risk, assign security-related responsibility,\n  and monitor the effectiveness of various system-related controls.\n\n  Medco has implemented a series of formal policies and procedures that comprise a\n  comprehensive security management program. Medco\xe2\x80\x99s security management program is\n  developed, maintained, and annually reviewed by Medco Global Security; their responsibilities\n  include creating policies to protect against threats or improper use of protected health\n  information, HIPAA compliance, and to provide central governance and coordination. Medco\n  has also developed a thorough risk management methodology, and has procedures to document,\n  track, and alleviate or accept identified risks. We also reviewed Medco\xe2\x80\x99s human resources\n  policies and procedures related to the security aspects of hiring, training, transferring, and\n  terminating employees.\n\n  Nothing came to our attention to indicate that Medco does not have an adequate security\n  management program.\n\nB. Access Controls\n  Access controls are the policies, procedures, and controls used to prevent or detect unauthorized\n  physical or logical access to sensitive resources.\n\n  We examined the physical access controls of a Medco office complex and a separate data center\n  facility, both in New Jersey. We also examined the logical controls protecting sensitive data in\n  Medco\xe2\x80\x99s network environment and claims processing related applications.\n\n  The access controls observed during this audit included, but were not limited to:\n  \xe2\x80\xa2   Procedures for granting and revoking physical access privileges to the data centers;\n  \xe2\x80\xa2   Adequate intrusion detection and incident response capabilities;\n  \xe2\x80\xa2   Controls over firewall configuration and security;\n  \xe2\x80\xa2   Use of software tools to monitor and filter e-mail and Internet activity; and\n  \xe2\x80\xa2   Strict identification and authentication requirements.\n\n  However, we did note several opportunities for improvement related to Medco\xe2\x80\x99s physical and\n  logical access controls.\n\n\n\n\n                                                   4\n\x0c\x0c\x0c  \xe2\x80\xa2   Controls for securely managing changes to the operating platform and claims processing\n      application;\n  \xe2\x80\xa2   Controls for monitoring privileged user activity on the operating platform;\n  \xe2\x80\xa2   Procedures for routinely updating and patching the operating platforms; and\n  \xe2\x80\xa2   Procedures for monitoring configuration through vulnerability scans.\n\n  Nothing came to our attention to indicate that Medco does not have adequate controls related to\n  configuration management.\n\nD. Contingency Planning\n  We reviewed the following elements of Medco\xe2\x80\x99s contingency planning program to determine\n  whether controls were in place to prevent or minimize damage and interruptions to business\n  operations when disastrous events occur:\n  \xe2\x80\xa2   Business continuity plans for several business units, data center operations, pharmacies, and\n      customer service;\n  \xe2\x80\xa2   Business continuity plans for the check writing facility;\n  \xe2\x80\xa2   Disaster recovery plan for the claims processing system;\n  \xe2\x80\xa2   Disaster recovery plan tests conducted in conjunction with the recovery site; and\n  \xe2\x80\xa2   Emergency response procedures and training.\n\n  We determined that the service continuity documentation reviewed contained the critical\n  elements suggested by NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for IT Systems.\xe2\x80\x9d Medco\n  has identified and prioritized the systems and resources that are critical to business operations,\n  and has developed detailed procedures to recover those systems and resources.\n\n  Nothing came to our attention to indicate that Medco has not implemented adequate controls\n  related to contingency planning.\n\nE. Claims Adjudication\n  The following sections detail our review of the applications and business processes supporting\n  Medco\xe2\x80\x99s claims adjudication process.\n\n  Application Configuration Management\n\n  The OIG evaluated the policies and procedures governing software development and change\n  control of Medco\xe2\x80\x99s claims processing applications.\n\n  Medco has extensive policies and procedures related to application configuration management.\n  Medco has adopted a traditional systems development lifecycle methodology that IT personnel\n  follow during routine software modifications. The following controls related to testing and\n  approvals of software modifications were observed:\n\n\n\n                                                  7\n\x0c\xe2\x80\xa2   Medco has adopted practices that allow modifications to be tracked throughout the change\n    process;\n\xe2\x80\xa2   Code, unit, system, and quality testing are all conducted in accordance with industry\n    standards; and\n\xe2\x80\xa2   Medco uses an automated tool to move the code between software libraries and ensure\n    adequate segregation of duties.\n\nClaims Processing System\n\nWe evaluated the input, processing, and output controls associated with Medco\xe2\x80\x99s claims\nadjudication systems. We determined that Medco has implemented policies and procedures to\nhelp ensure that:\n\xe2\x80\xa2 Claims scheduled for payment are actually paid;\n\xe2\x80\xa2 Claims are monitored as they are processed through the systems with real time tracking of the\n  system\xe2\x80\x99s performance; and\n\xe2\x80\xa2 Paper claims that are received in the contracted mail room are tracked to ensure timely\n  processing (aging reports).\n\nDebarment\n\nMedco employees download the Health and Human Services (HHS) OIG debarment list every\nmonth and compare it to the Medco pharmacy master database. Any debarred pharmacies that\nappear in Medco\xe2\x80\x99s pharmacy master database are promptly removed. Removing the pharmacy\nfrom the master database prevents claims submitted by that pharmacy from processing\nsuccessfully during the claims adjudication process. However, Medco\xe2\x80\x99s procedures only\nconsider the HHS debarment list and not the debarred provider listing maintained by the OPM\nOIG. Failure to update the debarment database with the OPM OIG exclusion list increases the\nrisk that claims are being paid to providers that are debarred by OPM but not by HHS.\n\nRecommendation 3\nWe recommend that Medco implement procedures to routinely update its pharmacy master\ndatabase with OPM OIG\xe2\x80\x99s debarred provider listing.\n\nNote: this recommendation does not apply to Medco\xe2\x80\x99s BCBS contract, as Medco does not\nprocess retail pharmacy claims for BCBS.\n\nMedco Response:\n\xe2\x80\x9cMedco notes that in addition to screening against the HHS OIG list referenced in the audit\nfinding, Medco also checks the Excluded Parties List System (EPLS) maintained by the\nGeneral Services Administration. It is Medco\xe2\x80\x99s understanding that all executive agencies of\nthe federal government provide information relating to exclusion, debarment or suspension\nfor inclusion on the EPLS. Medco notes that OPM is included in the list of agencies in EPLS.\nMedco believes that by screening against the EPLS, Medco meets OPMs requirements. Please\nrefer to the attached monthly review memo (Attachment 1) that was provided to OPM OIG.\nThe memo notes that the General Services Administration list is checked monthly.\xe2\x80\x9d\n\n                                               8\n\x0cOIG Reply:\nAlthough the EPLS contains much of the same data as the OPM OIG\xe2\x80\x99s debarred provider listing,\nthe EPLS is not acceptable for use by FEHBP contractors when making decisions that impact\nFEHBP members.\n\nThe EPLS is a public site that contains limited data regarding OPM suspended and debarred\nproviders. It does not provide FEHBP contractors with all the data elements needed to make\ndecisions regarding payment/nonpayment of FEHBP claims.\n\nOPM requires its contracted insurance carriers to process all FEHBP claims against a sanctions\ndatabase that is updated monthly with OPM\xe2\x80\x99s debarment and suspension data. OPM uses a\nsecure webpage to electronically disseminate debarment/suspension/termination information to\nFEHBP carriers, and this webpage is OIG\xe2\x80\x99s exclusive method for distributing debarment and\nsuspension data to FEHBP carriers.\n\nOPM may also post messages on the secure webpage concerning debarment and suspension-\nrelated operational matters, as well as corrections to prior data. Therefore, it is important that\ncontractors visit the webpage periodically between the regular postings.\n\nWe continue to recommend that Medco implement procedures to routinely update its pharmacy\nmaster database with OPM OIG\xe2\x80\x99s debarred provider listing.\n\nSpecial Investigations and Fraud\n\nThe OIG evaluated the Medco policies and procedures governing special investigations and\nfraud. We determined that Medco has substantial policies and procedures in place to detect,\nmanage, and report fraud. There were no opportunities for improvement noted during our\nreview.\n\nApplication Controls Testing\n\nWe conducted a testing exercise on Medco\xe2\x80\x99s claims adjudication applications to validate the\nsystems\xe2\x80\x99 claims processing controls. The exercise involved developing test claims designed with\ninherent flaws and evaluating the manner in which Medco\xe2\x80\x99s systems processed the claims.\n\nThe sections below document opportunities for improvement related to Medco\xe2\x80\x99s application\ncontrols.\n\na) Invalid Prescriber\n\n   Medco\xe2\x80\x99s claims processing applications do not have the ability to detect prescriptions\n   containing invalid prescriber identifiers (identifiers not assigned to an active licensed\n   provider).\n\n\n                                                  9\n\x0cWe submitted test claims for prescriptions written by non-existent prescribers. The National\nProvider Identifier (NPI) numbers for these providers had a valid structure (last number was\na correctly calculated check digit), but they were not assigned to a valid prescribing doctor.\nWe also submitted test claims that contained an NPI number without an accurate check digit.\n\nMedco\xe2\x80\x99s system appropriately suspended the claims containing NPI numbers with incorrect\ncheck digits. However, all claims with an accurate check digit were processed and paid\nwithout encountering any system edits or suspensions, even though the NPI numbers were\nnot assigned to a valid prescriber.\n\nAlthough retail pharmacies should validate prescribers before submitting a prescription\nclaim, we believe that it is the responsibility of Medco to verify that prescriptions are written\nby valid prescribers prior to authorizing a claim for payment. A centralized method of\nverifying NPI numbers would be more efficient than relying on the efforts of various\npharmacies whose processes Medco cannot control, and would also provide Medco assurance\nall claims are verified with consistent quality.\n\nThe weakness in the current control structure could be exploited by individuals submitting\nfraudulent prescriptions from an invalid prescriber. If the pharmacist filling the prescription\ndoes not detect the anomaly, Medco will pay benefits for the claim and the individual will\ngain unauthorized access to prescription drugs. This risk of fraudulent activity is even\ngreater for mail order claims, where Medco is also the pharmacy filling the prescription and\nthere is no second level of control added from a retail pharmacist. Medco confirmed that the\nonly validation it does of prescriber identifiers on both retail and mail order claims is to\nvalidate the NPI check digit and verify that the prescriber is not on the OIG debarred\nprovider list.\n\nRecommendation 4\nWe recommend that Medco make the appropriate system modifications in order to detect\nclaims being processed with invalid prescriber identifiers. Prescriber identifiers include:\nNPI, Drug Enforcement Agency (DEA) number, Unique Provider Identification Number\n(UPIN), or state license number.\n\nClaims that do not contain a valid prescriber identifier should not be rejected at the point of\nsale, but Medco should attempt to retroactively obtain a valid identifier for these claims.\nWhen unable to obtain a valid prescriber identifier, Medco should pursue reimbursement\nfrom the pharmacy or member that submitted the claim. All funds recovered should be\nreturned to OPM via the FEHBP carriers.\n\nMedco Response:\n\xe2\x80\x9cMedco notes that each plan determines the edits that are in place for that plan. Currently,\nno plan has requested the type of edit described above. Moreover, the recommendation, if\nimplemented by the plans, will result in patients not obtaining drugs from prescribers who\nare licensed prescribers. This is because not all prescribers have NPI numbers at this\ntime. Furthermore, while the above recommendation directs Medco to the CMS file, it\ndoes not take into account that the CMS file (1) is furnished only every 4-6 weeks, and\n                                             10\n\x0c    thus does not provide current information; (2) does not require that the prescriber register\n    using the exact name that might be on the patient\xe2\x80\x99s prescription; (3) does not provide all\n    the addresses at which a prescriber practices (it only has one location); (4) does not\n    provide termination dates for NPI numbers; and (5) does not provide clear practice area\n    information. Thus, relying on this database would result in legitimate claims being\n    rejected at point of sale. The recommendation also does not take into account instances\n    where, for example, a vaccine is administered at a pharmacy so the NPI number for the\n    prescriber could be the same as the NPI of the pharmacy.\n\n    For 2012, CMS continues to instruct plans not to reject a claim at point of sale for invalid\n    NPI numbers, so OPM\xe2\x80\x99s recommendation runs counter to CMS\xe2\x80\x99s requirement and will\n    result in patients not receiving drugs to which they are entitled that are prescribed by\n    licensed prescribers. However, if the plans choose to implement this recommendation,\n    Medco will implement it.\xe2\x80\x9d\n\n    Additional comments from Medco\xe2\x80\x99s FEHBP clients:\n\n    GEHA: \xe2\x80\x9cWe concur with Medco\xe2\x80\x99s response and would not want to implement an edit that\n    would prevent enrollees from receiving medications to which they are entitled.\xe2\x80\x9d\n\n    OIG Reply:\n    Medco is correct that for 2012, the Department of Health and Human Services (HHS) Center\n    for Medicare and Medicaid Services (CMS) instructed plans not to reject Medicare Part D\n    claims at a point of sale for invalid NPI numbers. The 2012 CMS Final Call Letter to all\n    Medicare prescription drug plan sponsors states that \xe2\x80\x9csponsors should not reject a pharmacy\n    claim solely on the basis of an invalid prescriber identifier unless the issue can be resolved at\n    point-of-sale.\xe2\x80\x9d However, this same document referenced by Medco also states that\n    Prescription Drug Event (PDE) records submitted to CMS must contain one of four types of\n    prescriber identifiers (including NPI), and that plans must ensure that these identifiers are\n    active and valid. Therefore, if a valid prescriber ID is not included on the Part D claim, the\n    sponsor must retroactively acquire a valid ID before submitting the PDE to CMS. The Call\n    Letter also states that CMS is considering limiting acceptable prescriber identifiers to NPIs in\n    2013.\n\n    Furthermore, an audit report from the Inspector General at HHS recommended that Part D\n    plans \xe2\x80\x9cinstitute procedures to (1) identify invalid identifiers in the prescriber identifier field\n    on Part D drug claims and (2) flag for review Part D drug claims that contain invalid\n    identifiers in the prescriber identifier field1.\xe2\x80\x9d\n\n    Our draft audit report recommended that Medco make the appropriate system\n    modifications in order to detect claims being processed with invalid NPIs. In order to be\n    consistent with HHS, we modified the recommendation so that it does not explicitly require\n    NPI numbers to be validated. Rather, we recommend that Medco\xe2\x80\x99s validation of the\n\n1\n HHS OIG Audit Report \xe2\x80\x9cInvalid Prescriber Identifiers on Medicare Part D Drug Claims.\xe2\x80\x9d\nhttp://oig.hhs.gov/oei/reports/oei-03-09-00140.pdf (page 4/25)\n\n                                                     11\n\x0c   prescriber can be done by any of the four valid prescriber identifiers allowed by HHS (DEA,\n   NPI, UPIN, or state license numbers). We also recommend that claims should not be\n   rejected at the point of sale for missing a valid prescriber identifier, but Medco should\n   attempt to retroactively obtain a valid identifier for these claims. When unable to obtain a\n   valid prescriber identifier, Medco should pursue reimbursement from the pharmacy or\n   member that submitted the claim.\n\nb) Expired Prescriptions\n\n   Medco\xe2\x80\x99s claims processing applications do not have the controls in place to accurately\n   process claims based on state laws for expired prescriptions.\n\n   We submitted several test claims for prescriptions where the fill date was between 5 months\n   and 2 years after the prescription was written. Medco\xe2\x80\x99s system denied all claims that were\n   filled more than one year after the issue date, and paid all claims that were less than one year\n   old. However, several U.S. states and territories have prescription laws that do not conform\n   to the one year expiration timeline, and Medco is not accurately processing claims from these\n   areas.\n\n   For example, prescriptions from Puerto Rico expire after 6 months, but Medco\xe2\x80\x99s system\n   would inappropriately process and pay claims from there that were between 6 and 12 months\n   old.\n\n   In addition, prescriptions from the states listed below expire at a point in time greater than\n   one year. Medco\xe2\x80\x99s system inappropriately denies claims for prescriptions older than one year\n   but within the legal limit for that area. This practice could prevent FEHB members from\n   receiving medication that they are legally entitled to.\n\n   States where prescriptions expire later than one year:\n   \xe2\x80\xa2      Alabama (no expiration)              \xe2\x80\xa2    Massachusetts (no expiration)\n   \xe2\x80\xa2      California (no expiration)           \xe2\x80\xa2    New Mexico (no expiration)\n   \xe2\x80\xa2      Connecticut (no expiration)          \xe2\x80\xa2    New York (no expiration)\n   \xe2\x80\xa2      District of Columbia (no             \xe2\x80\xa2    Oregon (24 months)\n          expiration)                          \xe2\x80\xa2    South Carolina (24 months)\n   \xe2\x80\xa2      Georgia (no expiration)              \xe2\x80\xa2    South Dakota (no expiration)\n   \xe2\x80\xa2      Idaho (15 months)                    \xe2\x80\xa2    Wyoming (24 months)\n   \xe2\x80\xa2      Iowa (18 months)\n   \xe2\x80\xa2      Maine (15 months)\n\n   Recommendation 5\n   We recommend that Medco make the appropriate system modifications to alert pharmacies in\n   Puerto Rico when they attempt to submit claims for expired prescriptions (those more than\n   six months old).\n\n\n\n                                               12\n\x0cMedco Response:\n\xe2\x80\x9cMedco notes that effective November 2011, the edit that previously allowed claims at\nPuerto Rico pharmacies to be filled up to 12 months after the prescription was written was\nchanged in our system. Going forward, any claims submitted from a Puerto Rico\npharmacy will now reject if the fill date would be more than 6 months from the date on\nwhich the prescription was written. With regard to mail service, as per the case law from\n2000, the US Court of Appeals for the First Circuit affirmed a district court decision that\nthe Pharmacy Act of PR is not applicable to mail-order services based outside of Puerto\nRico that supply pharmaceuticals to customers within Puerto Rico.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that Medco provide OPM\xe2\x80\x99s HIO with\nevidence that its systems have been modified to alert pharmacies in Puerto Rico when they\nattempt to submit claims for expired prescriptions.\n\nRecommendation 6\nWe recommend that Medco make the appropriate system modifications to approve and pay\nclaims greater than one year old if allowed by the prescription laws in that state.\n\nNote: this recommendation does not apply to Medco\xe2\x80\x99s BCBS contract, as Medco does not\nprocess retail pharmacy claims for BCBS.\n\nMedco Response:\n\xe2\x80\x9cFirst, pharmacy regulations in the states in which the back end pharmacies are located\ndo not allow a prescription that is over one year from when it is written to be transferred\ninto the pharmacy. Thus, Medco is adhering to pharmacy law. For retail pharmacies,\nplans have the ability to determine coverage for a prescription, even if the coverage limits\nare more stringent than provided by pharmacy law. So, for example, pharmacy law might\nallow a member to obtain a refill of a prescription a few days after obtaining the original\nfill; however, the plan, as a matter of plan design, might use a refill too soon edit to\nprevent that refill from being paid for by the plan. Similarly, pharmacy law would allow\nany valid prescription to be filled, but the plan design might not cover a particular drug if\nit were off the formulary; or required prior authorization. The same logic applies for\npayment of claims for prescriptions that are over a year old. This might be allowed by\npharmacy law in certain states; however, it is generally not contemplated by our plans.\n\nIf the plans decide to implement this recommendation and allow prescriptions over a year\nold to be filled at retail pharmacies, Medco will implement the request of the plans.\xe2\x80\x9d\n\nAdditional comments from Medco\xe2\x80\x99s FEHBP clients:\n\nGEHA: \xe2\x80\x9cSince the majority of the Plan\xe2\x80\x99s prescription spend is through mail order, we\nwould need to maintain a standardized one year renewal period for all prescriptions.\xe2\x80\x9d\n\n\n\n                                            13\n\x0c     FSBP: We wish \xe2\x80\x9cto keep within our contract and allow only one (1) year for prescription\n     refills.\xe2\x80\x9d\n\n     OIG Reply:\n     We acknowledge the fact that individual plans maintain the right to set coverage limits that\n     are more stringent than state pharmacy laws, and that GEHA and FSBP have done so. We\n     recommend that APWU and SAMBA inform Medco whether they wish to continue the one-\n     year expiration limit or to allow claims to adjudicate based on prescription expiration dates\n     outlined in state laws.\n\nF. Health Insurance Portability and Accountability Act\n  The OIG reviewed Medco\xe2\x80\x99s efforts to maintain compliance with the security and privacy\n  standards of HIPAA.\n\n  Medco has implemented a series of IT security policies and procedures to adequately address the\n  requirements of the HIPAA security rule. Medco has also developed a series of privacy policies\n  and procedures that directly addresses all requirements of the HIPAA privacy rule. Each line of\n  business, subsidiary, and some departments have designated a Privacy Official who has the\n  responsibility of ensuring their area is compliant with HIPAA Privacy and Medco\'s HIPAA\n  Privacy policies. Medco employees receive HIPAA-related training during new hire orientation,\n  as well as annual refresher training.\n\n  Nothing came to our attention that caused us to believe that Medco is not in compliance with the\n  various requirements of HIPAA regulations.\n\n\n\n\n                                                 14\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                     , Senior Team Leader\n\xe2\x80\xa2                        , IT Auditor\n\xe2\x80\xa2                     Auditor\n\xe2\x80\xa2                         , IT Auditor\n\xe2\x80\xa2                   , IT Auditor\n\n\n\n\n                                              15\n\x0c\x0c\x0c                                                                                 Medco Health Solutions, Inc.\n                                                                                   100 Parsons Pond Drive\n                                                                                  Franklin Lakes, NJ 07417\n\n                                                                                     tel 201 269 3400\n                                                                                      www.medco.com\n\n\n\n\nMedco Response:\nMedco notes that in addition to screening against the HHS OIG list referenced in the audit\nfinding, Medco also checks the Excluded Parties List System (EPLS) maintained by the General\nServices Administration. It is Medco\xe2\x80\x99s understanding that all executive agencies of the federal\ngovernment provide information relating to exclusion, debarment or suspension for inclusion on\nthe EPLS. Medco notes that OPM is included in the list of agencies in EPLS. Medco believes\nthat by screening against the EPLS, Medco meets OPMs requirements. Please refer to the\nattached monthly review memo (Attachment 1) that was provided to OPM OIG. The memo notes\nthat the General Services Administration list is checked monthly.\n\n\nInvalid Prescriber: Recommendation 4\nMedco\xe2\x80\x99s claims processing applications do not have the ability to detect prescriptions\ncontaining invalid (non-existent) prescribers. We submitted test claims for prescriptions written\nby non-existent prescribers. The National Provider Identifier (NPI) numbers for these providers\nhad a valid structure (last number was a correctly calculated check digit), but they were not\nassigned to a valid prescribing doctor. We also submitted test claims that contained a NPI\nnumber without an accurate check digit. Medco\xe2\x80\x99s system appropriately suspended the claims\ncontaining NPI numbers with incorrect check digits. However, all claims with an accurate check\ndigit were processed and paid without encountering any system edits or suspensions, even\nthough the NPI numbers were not assigned to a valid prescriber.\n\nAlthough retail pharmacies should validate prescribers before submitting a prescription\nclaim, we believe that it is the responsibility of Medco to verify that prescriptions are written\nby valid prescribers prior to authorizing a claim for payment. A centralized method of\nverifying NPI numbers would be more efficient than relying on the efforts of various\npharmacies whose processes Medco cannot control, and would also provide Medco assurance\nall claims are verified with consistent quality. The weakness in the current control structure\ncould be exploited by individuals submitting fraudulent prescriptions from an invalid prescriber.\nIf the pharmacist filling the prescription does not detect the anomaly, Medco will pay benefits for\nthe claim and the individual will gain unauthorized access to prescription drugs.\n\nA current database of valid NPI numbers is actively maintained by the Centers for Medicare\nand Medicaid Services. Medco could leverage this resource to make improvements to its\nclaims adjudication process.\n\nWe recommend that Medco make the appropriate system modifications in order to detect\nclaims being processed with invalid NPIs.\n\nMedco Response:\nMedco notes that each plan determines the edits that are in place for that plan. Currently, no plan\nhas requested the type of edit described above. Moreover, the recommendation, if implemented\nby the plans, will result in patients not obtaining drugs from prescribers who are licensed\nprescribers. This is because not all prescribers have NPI numbers at this time. Furthermore,\n\x0c                                                                                    Medco Health Solutions, Inc.\n                                                                                      100 Parsons Pond Drive\n                                                                                     Franklin Lakes, NJ 07417\n\n                                                                                        tel 201 269 3400\n                                                                                         www.medco.com\n\n\n\n\nwhile the above recommendation directs Medco to the CMS file, it does not take into account\nthat the CMS file (1) is furnished only every 4-6 weeks, and thus does not provide current\ninformation; (2) does not require that the prescriber register using the exact name that might be\non the patient\xe2\x80\x99s prescription; (3) does not provide all the addresses at which a prescriber\npractices (it only has one location); (4) does not provide termination dates for NPI numbers; and\n(5) does not provide clear practice area information. Thus, relying on this database would result\nin legitimate claims being rejected at point of sale. The recommendation also does not take into\naccount instances where, for example, a vaccine is administered at a pharmacy so the NPI\nnumber for the prescriber could be the same as the NPI of the pharmacy.\n\nFor 2012, CMS continues to instruct plans not to reject a claim at point of sale for invalid NPI\nnumbers, so OPM\xe2\x80\x99s recommendation runs counter to CMS\xe2\x80\x99s requirement and will result in\npatients not receiving drugs to which they are entitled that are prescribed by licensed prescribers.\nHowever, if the plans choose to implement this recommendation, Medco will implement it.\n\n\nExpired Prescriptions: Recommendation 5\nWe recommend that Medco make the appropriate system modifications to alert pharmacies in\nPuerto Rico when they attempt to submit claims for expired prescriptions (those more than\nsix months old).\n\nMedco Response:\nMedco notes that effective November 2011, the edit that previously allowed claims at Puerto\nRico pharmacies to be filled up to 12 months after the prescription was written was changed in\nour system. Going forward, any claims submitted from a Puerto Rico pharmacy will now reject if\nthe fill date would be more than 6 months from the date on which the prescription was written.\nWith regard to mail service, as per the case law from 2000, the US Court of Appeals for the First\nCircuit affirmed a district court decision that the Pharmacy Act of PR is not applicable to mail-\norder services based outside of Puerto Rico that supply pharmaceuticals to customers within\nPuerto Rico.\n\n\nExpired Prescriptions: Recommendation 6\nWe recommend that Medco make the appropriate system modifications to approve and pay\nclaims greater than one year old if allowed by the prescription laws in that state.\n\nMedco Response:\nFirst, pharmacy regulations in the states in which the back end pharmacies are located do not\nallow a prescription that is over one year from when it is written to be transferred into the\npharmacy. Thus, Medco is adhering to pharmacy law. For retail pharmacies, plans have the\nability to determine coverage for a prescription, even if the coverage limits are more stringent\nthan provided by pharmacy law. So, for example, pharmacy law might allow a member to obtain\na refill of a prescription a few days after obtaining the original fill; however, the plan, as a matter\nof plan design, might use a refill too soon edit to prevent that refill from being paid for by the\n\x0c                                                                                 Medco Health Solutions, Inc.\n                                                                                   100 Parsons Pond Drive\n                                                                                  Franklin Lakes, NJ 07417\n\n                                                                                     tel 201 269 3400\n                                                                                      www.medco.com\n\n\n\n\nplan. Similarly, pharmacy law would allow any valid prescription to be filled, but the plan design\nmight not cover a particular drug if it were off the formulary; or required prior authorization. The\nsame logic applies for payment of claims for prescriptions that are over a year old. This might\nbe allowed by pharmacy law in certain states; however, it is generally not contemplated by our\nplans.\n\nIf the plans decide to implement this recommendation and allow prescriptions over a year old to\nbe filled at retail pharmacies, Medco will implement the request of the plans.\n\x0c'